[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [Asrg] How to defeat spam that uses encryption?
Well, you don't need a formal PKI that does end-to-end encryption.
If you encrypt between mail servers, and let the last leg be unencrypted
you'd get the same effect (keep POP3, IMAP for incoming, SMTP outgoing, but
once at the server, the server can use it's own randomly and routinely
generated keys, it just has to honor any incoming mail generated on a
recently expired key)
While that is NOT authentication, it does get us a level of control. Pub key
denial (due to blacklist) is one advantage. Another is the lock-step nature.
A down side is unless the server serves out keys for accounts it doesn't
have, it can be used to validate accounts. Still, with a good RBL, the
effects should be minimal, as any spamming server will be denied.
Also, because the server holds the keys, it can still scan the messages.
Note, that this still works without "encryption" if we change our thinking
to "tickets" (permission to send to an account, because that's all we're
really asking for) everything above still works.
> -----Original Message-----
> From: asrg-admin@ietf.org [mailto:asrg-admin@ietf.org]On Behalf Of
> Hallam-Baker, Phillip
> Sent: Monday, March 31, 2003 8:33 PM
> To: asrg@ietf.org
> Subject: RE: [Asrg] How to defeat spam that uses encryption?
>
>
> > > From: "Eric D. Williams" <eric@infobro.com>
> >
> > > ...
> > > All: A question is the discussion of end-user MUA
> > technology uses of encryption
> > > something people want to address as a 'spam' control solution?
> >
> > It's a complete non-starter and waste of time, because it suffers
> > the threshold problem in the worst way. Early adopters get no
> > benefit and many hassles. Despite decades of work, the mechanisms
> > to distribute keys are practically useless. The user interfaces
> > are coming along, but they're still poor and sometimes just
> > don't work.
>
> The mechanisms designed to distribute keys are fine. The problem
> is the attempts to use X.500 and LDAP for this purpose which are
> longstanding abject failures.
>
> The problem with encryption is that encrypting a message says
> NOTHING about its authenticity. I can send you an encrypted
> message that purports to be from anyone I choose. To get any
> statement about authenticity you need a signature.
>
>
> > You can sometimes justify the practical hassles of encryption for
> > keeping your communications private, but that avoids the threshold
> > problem. Many of us have used at least PGP for professional reasons,
> > but that's a whole other world.
>
> Don't project your experiences of PGP onto PKI. PGP has a very
> specific design which is fine for its intended purpose but that
> is not to provide a PKI.
>
>
> > Encryption, whether signing by senders or decrypting by receivers, is
> > useless against spam until almost all of your correspondents use it.
>
> It is useless against spam at any time.
>
> Authentication is useful as a means of bypassing spam filters and
> avoiding false positives even if relatively few people use it.
>
>
> Phill
> _______________________________________________
> Asrg mailing list
> Asrg@ietf.org
> https://www1.ietf.org/mailman/listinfo/asrg
>
_______________________________________________
Asrg mailing list
Asrg@ietf.org
https://www1.ietf.org/mailman/listinfo/asrg